XForwardedStrict fails when NOT behind a proxy

Question

XForwardedStrict fails when NOT behind a proxy

rgacote opened this issue 6 years ago · 6 comments

XForwardedStrict always fails when not running behind a proxy.
I believe the XForwardedStrict middleware should immediately return await handler(request) if the result of self.get_forwarded_for(headers) is an empty list (although I might be missing some additional intent).

A test case without an X-Forwarded-For header is absent, I provide one below:

async def test_x_forwarded_strict_no_forwarding(aiohttp_client):
    async def handler(request):
        assert request.remote == '127.0.0.1'
        return web.Response()

    app = web.Application()
    app.router.add_get('/', handler)
    await _setup(app, XForwardedStrict([['20.20.20.20']]))
    cl = await aiohttp_client(app)
    resp = await cl.get('/')
    assert resp.status == 200

Answer 1 · 2018-10-11T15:24:49.000Z

Hi, I'm GitMate.io!

It seems you've just enabled the issue triaging. I'm just scraping all issues from your repository and will give you some more information about this in a few minutes or so.

Because of the rate limit we can't scrape all information (including all comments and authors) right now - our system is already set up to scrape this in the next days over which the predictions will become more precise every day.

If you want me to use a different account for triaging your issues, simply create one and log in with it.

Sit tight!

Answer 2 · 2018-10-11T15:39:23.000Z

XForwardedStrict is intended to be used in a config with reverse proxy.
If it was configured for proxy but no X-Forwarded header is present -- it is a configuration (or deployment) error.
If you don't need such strict security -- use XForwardedRelaxed (which could be compromised but maybe good enough for your case).

Answer 3 · 2018-10-11T15:51:33.000Z

Andrew: Thanks for your speedy response (and the great library).

I disagree with the premise that it is a deployment configuration issue as I want to run the same code in development (desktop without a proxy) and deployment (behind a proxy).

In production environments, I frequently find the need to access the service directly via a curl command (testing new deploys, monitoring, etc.)--though I could add an X-Forwarded-For header to the curl command.

I put together a pull request (including test), with the understanding that your use case is different than mine.

Regards, Ray

Answer 4 · 2018-10-11T16:08:10.000Z

Say again, if you want to pass over the strict check -- use XForwardedRelaxed.

Answer 5 · 2018-10-11T16:11:19.000Z

But I want the ability to check against the trusted list when I am behind the proxy.

…

On Thu, Oct 11, 2018 at 12:08 PM Andrew Svetlov ***@***.***> wrote: Say again, if you want to pass over the strict check -- use XForwardedRelaxed. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#52 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABj61EcFq2xj9YZ1UMctbtMGmGe3p7yCks5uj2zsgaJpZM4XXyn4> .

-- Raymond Cote, President voice: +1.603.924.6079 email: rgacote@AppropriateSolutions.com skype: ray.cote Schedule a meeting: https://calendly.com/ray_cote/60min/

Answer 6 · 2018-10-11T16:32:47.000Z

I agree we have a different understanding of the library usage.
I use different configs for development and production.
XForwardedStrict policy is not installed on a dev box. It is pretty easy.
For handling health checks and monitoring I use a whitelist of internal paths: XForwardedStrict(['x.x.x.x'], white_paths=('/ping', '/monitor'))